COPPA Compliance 2025: What Organizations Need to Know

Children spend more time online than ever before, exploring, learning, playing, and socializing through websites, apps, and smart devices. While this digital engagement offers many benefits, it also exposes children to significant privacy risks. With limited awareness of how their personal information is collected and processed, and due to their typical trusting nature and lack of experience, children are especially vulnerable to tracking, profiling, targeting, and exploitation.

In recognition of this, the U.S. enacted the Children’s Online Privacy Protection Rule (COPPA) which places significant legal obligations on organizations that operate online services directed to children. Enforced by the Federal Trade Commission (FTC), COPPA is designed to give parents greater control over the personal information collected from their children online. The rule applies to operators of commercial websites and online services, including mobile apps, social media platforms, advertising networks, and connected devices, that:

  • are directed to children under 13 and collect personal information; or
  • have actual knowledge that they collect personal information from users under 13.

If your organization operates a website, app, game, or any online platform that collects data from users under the age of 13, COPPA compliance isn’t optional.

Key Provisions of COPPA and How to Comply

COPPA sets out the following requirements that companies must follow to enhance the privacy of children’s information.

Direct Notice to Parents

Organizations must provide direct notice to parents in cases such as:

  • Before collecting a child or their parent’s name or contact information to obtain consent for the collection, use, or disclosure of the child’s personal information;
  • When the organization intends to communicate with the child multiple times using their online contact information; and
  • When collecting a child’s and parent’s name and online contact information for protecting a child’s safety.

COPPA requires different information to be included in the direct notice depending on the circumstances. However, the notice to parents should generally include:

  • That the organization has collected the parent’s online contact information from the child to obtain the parent’s consent, and should state the name of the child (where applicable);
  • That the parent’s consent is required for collecting, using, or disclosing any personal information of the child and that the organization will not perform those processing activities without the parent’s consent;
  • That the parent may refuse to allow the child’s participation on the website or online service and require deletion of the parent’s and child’s contact information;
  • A hyperlink to the organization’s online privacy policy;
  • The method through which the parent can provide verifiable consent; and
  • Should the parent fail to provide consent within a certain timeframe, then the organization will delete the parent’s personal information.

Online Notice of Data Privacy Practices

In addition to the direct notice, organizations must post a distinct, clearly labeled link to an online notice of its data privacy practices concerning children. The link must be placed:

  • On the home page, landing page, or splash screen of the website or online service; and
  • In close proximity to any area of the website or online service where a child’s personal information is collected.

The online notice must state the following:

  • The contact details of all third-party organizations that are collecting or maintaining personal information of children through the website or online service;
  • A description of the type of information that is collected from children including whether the website or online service allows children to make their personal information publicly available;
  • A description of the processing activities the organization performs on the personal information of children;
  • The disclosure practices of personal information of children; and
  • The parent has the right to review or request deletion of the child’s personal information and refuse any further processing activities.

Verifiable Parental Consent Requirements

Companies need to obtain verifiable parental consent before collecting, using, and/or disclosing the personal information of children. Potential methods of obtaining verifiable parental consent include:

  • Signed consent forms provided to the organization through available means of communication;
  • Use of credit cards or other payment methods that provide identity verification;
  • Telephone calls to a toll-free number or video calls;
  • Government ID submission verification; and
  • Consent through trusted third-party verification services.

Parental Rights to Review and Control Children’s Personal Information

Organizations must provide parents with reasonable means to review the personal information collected from a child and allow parents to make decisions regarding that personal information such as deletion and restriction on processing activities. The website or online service must support actions that enable parents to:

  • Review the personal information collected about their child;
  • Revoke their consent at any time; and
  • Request deletion of their child’s data.

Data Collection Limitation

Organizations should not make a child’s participation in a game, eligibility to win a prize, or other activity dependent on the child providing more personal information than is necessarily required for participation in that activity.

Data Protection and Security

Organizations must adopt reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children. This includes safeguarding data during collection, storage, and transmission, as well as managing third-party processors responsibly.

Future of Children’s Privacy Laws

On January 16, 2025, the FTC finalized amendments to the COPPA Rule. The final text was published in the Federal Register on April 22, 2025, and the amendments take effect on June 23, 2025. Some key changes organizations can expect include:

1. Increased requirements for the direct notice to parents: The direct notice will need to include additional information, such as the name or category of third parties that may receive a child’s personal information as well as the organization’s data retention policy.

2. Changes to parental consent: Organizations will need to give parents the option to consent to the collection and use of the child’s personal information without consenting to disclosure to third parties, unless disclosure is integral to the website or online service.

3. Additional methods for verification of consent:

  • Authentication based on knowledge using multiple choice questions that children would not likely be able to answer;
  • Authentication by facial recognition using government-issued ID photograph compared against a photo of the parent; and
  • Sending a confirmation text to a parent following the provision of consent or obtaining a postal address or phone number from a parent.
  • Additional reporting requirements to the FTC for the safe harbor programs.

4. New Definitions: The term ‘mixed audience’ is now clearly defined as websites or online services that are not primarily directed to children but may still collect personal information from children. This helps operators better understand which websites or services are directed toward children.

5. Data Retention Limits: Operators must now limit the retention of children’s personal information to the minimum necessary to fulfill the purpose for which it was collected.

6. Opt-in Consent for Targeted Ads: New opt-in requirements ensure that parental consent is obtained before personal information is shared for targeted advertising.

7. Information Security Program: Organizations will need to create and maintain a written formal information security program that applies to the personal information of children.

Consequences of Non-Compliance

Non-compliance with COPPA can result in significant financial penalties. The FTC has levied millions of dollars in fines against companies that failed to meet these requirements. Beyond fines, violations can cause serious reputational damage and result in increased regulatory scrutiny.

One example of COPPA enforcement is the $170 million fine issued to YouTube for tracking browsing activities on children’s channels with the use of cookies and without obtaining parental consent.

More recently, video game developer Cognosphere agreed to a $20 million settlement for unfairly marketing loot boxes to children and failing to notify parents and obtain verifiable consent.

Conclusion

As digital engagement with children continues to grow, so does the importance of transparent, responsible data practices. COPPA compliance is not just about checking legal boxes—it’s about building trust with your youngest users and their families.

If your product or service interacts with children or may be used by them, you must take proactive steps to assess your data practices, drive compliance, and document your processes.

VeraSafe specializes in helping organizations navigate compliance requirements including those mandated by COPPA. Contact us today for a free consultation. 


You may also like: 
Key Privacy Laws Taking Effect in 2025  
Are You a “Trader” Under the DSA? 
Ensure Your Business Complies with California Privacy Law: Practical Tips for Handling Privacy Rights Requests

Related topics: US Privacy Laws, Privacy News 

Monthly Newsletter

Contact VeraSafe to discuss your data security management and privacy program today.